Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by

Share this article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?


Global Views 360

Publication Date

January 13, 2021


SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

April 13, 2021 2:10 PM

Detecting The Ultra-High Energy Cosmic Rays With Smartphones

Smartphones have become the most commonplace objects in our daily lives. The unimaginable power that we hold in our hands is unrealized by most of us and, more importantly, untapped. Its creativity often gets misused but one can only hope that it’s fascinating abilities would be utilized. For example, did you know that the millions of phones around the globe can be connected to form a particle detector? The following article covers the CRAYFIS (Cosmic RAYs Found in Smartphones) phone-based application developed by the physicists from the University of California—Daniel Whiteson, Michael Mulhearn, and their team. CRAYFIS aims to take advantage of the large network of smartphones around the world and detect the cosmic or gamma rays bursts which enter the Earth’s atmosphere almost constantly.

What Are Cosmic Rays?

Cosmic rays are high velocity subatomic particles bombarding the Earth’s upper atmosphere continuously. Cosmic ray bursts have the highest energy compared to all forms of electro-magnetic radiation. When we say ultra-high energy particles (energy more than 1018^eV), we mean two million times more energetic than the ones that can be produced by the particle colliders on Earth.  These rays are thought to be more powerful than typical supernovae and can release trillions of times more energy than the Sun. They are also highly unpredictable as they can enter Earth’s atmosphere from any direction and the bursts can last for any period of time ranging from a few thousand seconds to several minutes.

Despite many theoretical hypotheses, the sources of these ultra-high energy cosmic rays are still a mystery to us even after many decades of their discovery. These rays were initially discovered in the 1960’s by the U.S. military when they were doing background checks for gamma rays after nuclear weapon testing. Cosmologists suggest that these bursts could be the result of super massive stars collapsing - leading to hypernova; or can be retraced to collisions of black holes with other black holes or neutron stars.

How Do We Detect Them?

When the high-energy particles collide with the Earth’s atmosphere, the air and the gas molecules cause them to break apart and create massive showers of relatively low-energy particles. Aurora borealis i.e., the Northern and the Southern lights are the lights that are emitted when these cosmic rays interact with the Earth’s magnetic field. Currently, these particles are hitting the Earth at a rate of about one per square meter per second. The showers get scattered to a radius of one or two kilometers consisting mostly of high-energy photons, electrons, positrons and muons. But the fact that these particles can hit the Earth anytime and anywhere is where the problem arises. Since the Earth has a massive area, it is not possible to place a detector everywhere and catch them at the exact moment.

Energetic charged particles known as cosmic rays hit our atmosphere, where they collide with air molecules to produce a shower of secondary particle | Source: CERN

Detecting such a shower requires a very big telescope, which logically means a network of individual particle detectors distributed over a mile or two-wide radius and connected to each other. The Pierre Auger Observatory in South America is the only such arrangement where 1,600 particle detectors have been scattered on 3,000 square kilometers of land. But the construction cost of the same was about $100 million. Yet, only a few cosmic ray particles could be detected using this arrangement. How do we spread this network around the Earth?

In addition to being cost-effective, such a setup must also be feasible. The Earth’s surface cannot possibly be dotted with particle detectors which cost huge fortunes. This is where smartphones come into the picture.

Detecting The Particles Using Smartphones

Smartphones are the most appropriate devices required to solve the problem. They have planet wide coverage, are affordable by most people and are being actively used by more than 1.5 billion users around the planet. Individually, these devices are low and inefficient; but a considerably dense network of such devices can give us a chance to detect cosmic ray showers belonging to the highest energy range.

Previous research has shown that smartphones have the capability of detecting ionizing radiation. The camera is the most sensitive part of the smartphone and is just the device required to meet our expectations. A CMOS (Complementary Metal Oxide Semiconductor) device is present in the camera- in which silicon photodiode pixels produce electron-hole pairs when struck by visible photons (when photons are detected by the CMOS device, it leaves traces of weakly activated pixels). The incoming rays are also laced with other noises and interference from the surroundings.  Although these devices are made to detect visible light, they still have the capability of detecting higher-energy photons and also low-ionizing particles such as the muons.

A screenshot from the app which shows the exposure time, the events- the number of particles recorded and other properties

To avoid normal light, the CRAYFIS application is to be run during nighttime with the camera facing down. As the phone processor runs the application it collects data from its surroundings using a camera as its detector element. The megapixel images (i.e., the incoming particles) are scanned at a speed of 5 to 15 frames per second, depending on the frame-processing speed of the device. Scientists expect that signals from the cosmic rays would occur rarely, i.e., around one in 500 frames. Also, there is the job of removing background data. An algorithm was created to tune the incoming particle shower by setting a threshold frequency at around 0.1 frames per second. Frames containing pixels above the threshold are stored and passed to the second stage which examines the stored frames, saving only the pixels above a second, lower threshold.

The CRAYFIS app is designed to run when the phone is not being used and when it is connected to a power source. The actual performance would be widely affected by the geometry of the smartphone’s camera and the conditions in which the data is being collected. Further, once the application is installed and is in the operating mode, no participation is required from the user, which is required to achieve wide-scale participation. When a Wifi connection is available the collected data would be uploaded to the central server so that it could be interpreted.

There is much complicated math used to trace back the information collected from the application. The most important parameters for the app are the local density of incoming particles, the detection area of the phone and the particle identification efficiency. These parameters are used to find the mean number of candidates (photons or muons) being detected. Further, the probability that a phone will detect no candidates or the probability that a phone will detect one or more candidates is given by Poisson distribution. The density of the shower is directly proportional to the incident particle energy with a distribution in x and y sensitive to the direction in which the particle came from. An Unbinned Likelihood (it is the probability of obtaining a certain data- in this case the distribution of the cosmic rays including their energy and direction, the obtained data is arranged into bins which are very, very small) analysis is used to determine the incident particle energy and direction. To eliminate background interference, a benchmark requirement has been set that at least 5 phones must detect and register a hit to be considered as a candidate.

It is impossible to express just how mind-blowing this innovation is. As the days pass, Science and Technology around us keep on surprising us and challenge us to rack our brains for more and more unique ways to deal with complex problems. The CRAYFIS app is simply beautiful and it would be a dream-come-true to the scientists if the project works out and we are able to detect these high energy, super intimidating cosmic rays with smartphones from our backyard.

Further Reading

The paper by Daniel Whiteson and team can be found here.

An exciting book “We Have No Idea” by Daniel Whiteson and cartoonist Jorge Cham can be found here.

The CRAYFIS app can be found here.

Read More